CVE-2023-22875: 
IBM QRadar SIEM vulnerability analysis and mitigation

IBM QRadar SIEM versions 7.4 and 7.5 were found to contain a security vulnerability (CVE-2023-22875) where certificate key files used for SSL/TLS in the QRadar web user interface are copied to managed hosts in the deployment that do not require that key. The vulnerability was disclosed on January 17, 2023, and affects the security infrastructure of QRadar SIEM deployments (IBM Security Bulletin).

The vulnerability has been assigned a CVSS Base score of 8.4 with a vector of CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. The technical issue involves the improper distribution of SSL/TLS certificate keys across managed hosts within the QRadar deployment. While the key remains within the QRadar deployment, unauthorized users with access to managed hosts could potentially access the webserver key (IBM Security Bulletin).

The vulnerability can lead to potential information disclosure and compromise of data integrity. If users other than QRadar system administrators have access to managed hosts, such as flow collectors or event collectors, they might be able to access the webserver key, potentially compromising the security of the SSL/TLS implementation (IBM Security Bulletin).

IBM has released fixes for affected versions: QRadar SIEM 7.4.3 Fix Pack 8 and QRadar SIEM 7.5.0 Update Pack 4 Interim Fix 1. For immediate mitigation, administrators can remove the key from all hosts in the deployment except the console by executing specific commands. It's recommended to restrict direct SSH access to administrators only and manage hosts through the QRadar console. Note that adding new managed hosts, applying fixes, or installing new webserver TLS certificates will redistribute the keys, requiring readministration of the mitigation steps (IBM Security Bulletin).